Chapter 8 - 05 - Understand Fundamentals Of Penetration Testing and its Benefits - 04_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Phases of Penetration Testing Pre-Attack Phase Research (Information Gathering) Attack Phase Testing/Exploitation Post-Attack Phase Documentation and Reporting Phases of Penetration Testing There are three phases in penetration testing: the pre-attack, attack, and post-attack phases. Pre-attack Phase This phase focuses on gathering as much information as possible about the target. Information can be gathered invasively through, for example, passive and active reconnaissance, port scanning, service scanning, and OS scanning, or it can be gathered noninvasively by, for example, reviewing public records. Beginning with passive and active reconnaissance, the tester gathers as much information as possible about the target company. Most leaked information is related to the network topology and types of services running within. The tester can use this information to provisionally map out the network for planning a more coordinated attack strategy. Passive reconnaissance involves the following: o Mapping the directory structure of the web servers and FTP servers. o Gathering competitive intelligence. o Determining the value of infrastructure interfacing with the web. o Retrieving network registration information from Whois databases and financial websites. o Determining the product range and service offerings of the target company that are available online or can be requested offline. Module 08 Page 1112 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools o Document Exam 212-82 sifting, which refers to gathering information solely from published material. o Social engineering can be performed targeted easily based by identifying a conduit (a person who can be on the information gained about personnel) and profiling them. In active reconnaissance, the information-gathering process encroaches on the target territory. Here, the perpetrator may send probes to the target in the form of port scans, network sweeps, enumeration of shares and user accounts, and so on. The tester may adopt techniques such as social engineering and use tools that automate such as scanners and sniffers. = these tasks Attack Phase The information gathered in the pre-attack phase forms the basis of the attack strategy. During the attack phase, the attack strategy is developed and executed. The attack phase involves the actual compromise of the target. The tester may exploit a vulnerability discovered during the pre-attack phase or use security loopholes such as a weak security policy to gain access to the system. The important point here is that while the tester needs only one port of entry, organizations must defend several. Once inside, the tester may escalate their privileges, system, and exploit it to achieve their goal. = install a backdoor to sustain access to the Post-attack Phase The post-attack phase is a crucial part of the testing process, as the tester needs to restore the network to its original state. This involves cleaning up testing processes, removing vulnerabilities created (not those that existed originally), exploits crafted, and so on, until all systems tested are returned to their states prior to testing. The objective of the test is to show where security fails. Unless there is a scaling of the penetration test agreement, whereby the tester is assigned the responsibility to correct the security posture of the systems, this phase completes the process of penetration testing. Activities in this phase include (but are not restricted to) the following: o Reversing all file and setting manipulations performed during the test o Reversing all changes to privileges and user settings o Mapping of the network state o Documenting and capturing all logs registered during the test It is important that the penetration tester documents all their activities and records all observations and results so that the test can be repeated and verified for the given security posture of the organization. For the organization to quantify the security risk in business terms, it is essential that the tester identifies the critical systems and critical resources and maps the threat to these. Module 08 Page 1113 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Penetration Testing Methodologies Various penetration testing frameworks and methodologies exist to help organizations choose the best method to conduct a successful penetration test Most commonly used methodologies: Proprietary Methodologies Open-source Methodologies EC-Council’s LPT 0SSTMM IBM ISSAF ISS NIST McAfee Foundstone OWASP Penetration Testing Methodologies Various penetration testing frameworks and methodologies exist to help organizations choose the best method to conduct a successful penetration test. The cornerstone of a successful penetration test is the methodology involved in devising it. The underlying methodology should help the tester by providing a systematic approach to the testing pattern. The test must satisfy adjectives such as consistency, accuracy, and efficiency, and the testing methodology should be adequate. This does not mean that the entire framework should be restrictive. The two types of penetration testing methodologies are as follows: = Proprietary methodologies There are many organizations that work on penetration testing and offer services and certifications. Network security organizations have their own methodologies that are to be kept confidential. The following are some proprietary methodologies: = o EC-Council’s Licensed Penetration Tester (LPT) o IBM o ISS o McAfee Foundstone Open-source and public methodologies A wide range of methodologies are publicly available. They can be used by anybody and are intended for public use only. o Open Source Security Testing Methodology Manual Module 08 Page 1114 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools The Open Source Exam 212-82 Security Testing Methodology Manual was compiled by Pete Herzog. It is a standard set for penetration testing to achieve security metrics. It is considered the de-facto highest level of testing, and it ensures high consistency and remarkable accuracy. o Information Systems Security Assessment Framework The Information Systems Security Assessment Framework evaluates an organization’s information security processes and policies. o National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is a federal technology agency that works with the industry to develop and apply technology, measurements, and standards. o Open Web Application Security Project The Open provides Web a set Application of tools and Security a Project knowledge is an open-source base, which help methodology. in protecting It web applications and services. It is beneficial for system architects, vendors, developers, security professionals, and consumers who might work on designing, developing, deploying, and testing the security of web services and web applications. o CREST CREST is the not-for-profit accreditation and certification body representing the technical information security industry. CREST provides internationally recognized accreditation for organizations and individuals providing penetration testing, cyber incident response and threat intelligence services. Module 08 Page 1115 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.